Enhancing EMV Online PIN Verification. / Jayasinghe, Danushka; Akram, Raja; Markantonakis, Konstantinos; Rantos, Konstantinos; Mayes, Keith.

The 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-15): International Symposium on Recent Advances of Trust, Security and Privacy in Computing and Communications (IEEE RATSP-15). Helsinki, Finland : IEEE Computer Society, 2015. p. 1-10.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Published

Documents

Abstract

EMV (Europay MasterCard Visa) is a globally accepted standard for chip card-based payment transactions, which benefits from the intrinsic security characteristics of chip cards. The EMV specification is relatively flexible and can be deployed in both online and offline card acceptance environments. In the offline environment, payment terminals and cards only communicate with each other in order to approve/decline the payment transactions, whereas in the online environment authorisation entities are also involved in the overall process. An authorisation entity can either be the Card Issuing Bank (CIB) or the payment scheme operator (e.g. Visa, Master-Card). Aside from the transaction authorisation, the EMV specifications define offline-PIN verification as one of the main cardholder verification methods. However, in an online authorisation environment, the PIN verification process is referred to as Online-PIN Verification (OPV). This process is the main focus of this paper. We discuss the OPV process that has placed indelible trust assumptions on the intermediary entities (subcontractors) between a payment terminal and a scheme operator/CIB. When this trust (assumption) is scrutinised, there is a potential attack scenario that an adversary can use to gain access to PIN data. This information can be used by an adversary to carry out an online PIN approved transaction without the involvement of the genuine cardholder but with the correct PIN. We then propose three solutions based on the existing OPV process as potential countermeasures that are then implemented to measure any incurred performance penalties and subjected to mechanical formal analysis using CasperFDR.
Original languageEnglish
Title of host publicationThe 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-15)
Subtitle of host publicationInternational Symposium on Recent Advances of Trust, Security and Privacy in Computing and Communications (IEEE RATSP-15)
Place of PublicationHelsinki, Finland
PublisherIEEE Computer Society
Pages1-10
Number of pages10
ISBN (Electronic)978-1-4673-7951-9
DOIs
StatePublished - 20 Aug 2015
This open access research output is licenced under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.

ID: 25114675